The enemy within the firewall

By Louisa Hearn

Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall.

That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey.

With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing.

Advertisement

"People are becoming the weakest link. A fluid work force with diminished loyalty to organisations is being exacerbated by the fact that people do not always realise the value of information that they deal with," said Claudia Warwar, managing consultant at IBM BCS Security and Privacy Practice.

Ms Warwar believes that the rise in internal security attacks has come about because outside criminal gangs realise that recruiting or tricking employees to hand over insider knowledge is less expensive and traceable than other forms of cybercrime.

And it seems the perception of this phenomenon is even worse in Australia than elsewhere in the world, with 11 per cent more respondents here identifying internal staff as their greatest threat.

Ms Warwar explained that one reason for this could be that in a larger country, where you might normally have ten staff working in team, here you might only have one, granting closer access to important information. "Employees here get to see more of the big picture and are closer to the whole business loop," she said.

But in spite of the threat, companies still allocate more of their security budgets to external threats.

While 32 per cent of survey respondents were intent on upgrading firewalls, only 15 per cent planned to invest in awareness and education training for employees and only 10 per cent restricted the use of mobile devices such as wireless handheld computers not specifically sanctioned by the IT staff.

"Organisations need to understand what are the key pieces of information that need to be protected and be able to track who has had access to them," she said.

Looking more broadly at the issue of cyber crime, the survey also found that regardless of who had caused it, 49 per cent of local businesses believed it represented a larger threat than physical crime.

The three most common types of cyber crimes are hacking, denial of service attacks, and viruses and malware, which target different types of organisations.

"One of our clients had a virus bouncing around network for quite a few days which did quite a bit of damage, whereas a denial of service attack is more likely to target those transacting and doing a lot of business online. If a hacker really knows where they are going within say a large financial company then they can also really hit the jackpot," said Ms Warwar.

A recent security report from antivirus company Symantec said cybercrime represented today's greatest threat to consumers' digital lifestyle and to online businesses in general.

"While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence," the company said.